Nmap.org describes the Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to write (and share) simple scripts in the Lua programming language, to automate a wide variety of networking tasks. Those scripts are executed in parallel, with the speed and efficiency you expect from Nmap. Users can rely on the growing, diverse set of scripts distributed with Nmap, or write their own to meet custom needs.
To my amusement, Nmap features are growing day by day. It was introduced just as a port scanner, and now it has reached a stage where you can even use it for basic vulnerability analysis. The vulnerability (script) database is increasing day by day, version by version. Precisely 177 scripts are available with version 5.50, which is the latest NMap release.
Before script-scanning networks, let’s try to understand a few ready-made scripts that let us detect various vulnerabilities in the network and devices at one go, in a very short time. Please remember, once you find vulnerabilities, you should immediately take corrective action to close them. These corrective measures may be as simple as changing passwords, disabling unused accounts, or as time-consuming and crucial as applying security patches or removing detected worms.
| Table 1: Some useful Nmap scripts | ||
| No. | Script | Function |
| 1. | dhcp-discover |
Discovers DHCP servers on the network; the UDP discover request is sent from port 67, and the response is received on port 68. |
| 2. | ftp-bounce |
Checks whether there are FTP servers that allow an FTP bounce attack to other hosts on the network. (Please refer to earlier articles, where we have discussed FTP bounce attacks.) |
| 3. | http-iis-webdav-vuln |
Checks whether hosts with vulnerabilities listed in Microsoft security bulletin MS09-020 (IIS 5.1/IIS 6.0) are present on the network. |
| 4. | ms-sql-info |
Identifies Microsoft SQL Server details. |
| 5. | mysql-info |
Identifies MySQL Server details. |
| 6. | p2p-conficker |
Checks whether a host is infected by the conficker.c worm. |
| 7. | smb-enum-shares |
A very interesting script, which identifies all SMB shares within the specified address range. |
| 8. | smb-enum-users |
Will identify all SMB user names within the specified address range. |
| 9. | sniffer-detect |
Finds hosts with pcap libraries installed. |
| 10. | sshv1 |
Lists all hosts with SSH version 1. As most of you will be aware, this version has documented vulnerabilities. |
The various command line options for script scanning are as follows:
-sC— basic script scan-
--script-updatedb— will update the script database.
Some of the scripts may ask for the --script-args=unsafe option to be set to 1. Please remember, this is a destructive test; these scripts will almost surely crash a system with the corresponding vulnerability. Be careful you do not use this option in a live production environment.
The actual scans
To start with, create a file IPList.txt, listing all the active hosts on the network, to specify target hosts to Nmap. Next, try to analyse the results of a few scans performed in a live environment. When you wish to try these scans, don’t forget to take written permission from the management.
Checking for SSHv1
| Table 2: sshv1 scan | ||
| Command/details | Explanation | |
nmap-script sshv1 -iL IPList.txt -osshv1.txt |
The command line, running only one script, sshv1. | |
| Masked output of sshv1.txt: | ||
| Nmap scan report for 192.168.1.4 Host is up (0.00011s latency). Not shown: 984 closed ports
|
|
|
Sniffer detection
| Table 3: sniffer-detect scan | ||
| Command/details | Explanation | |
nmap-script sniffer-detect -iL IPList.txt -osniffer-detect.txt |
Initiating sniffer detection | |
| Masked output of sniffer-detect.txt | ||
| Nmap scan report for 192.168.1.26 Host is up (0.00012s latency). Not shown: 992 closed ports
MAC Address: 00:XX:XX:XX:XX:2D (Intel Corporate) Host script results: |_sniffer-detect: Windows with libpcap installed; may or may not be sniffing (tests: “1_1___1_”) |
|
|
smb-enum-users
This is a very interesting script. In one go, you can identify all the users present on the entire network, and their status. You may wish to identify which of them have left the organisation, and disable/delete the corresponding account, as per company policy.
| Table 4: smb-enum-users scan | |||
| Command/details | Explanation | ||
nmap-script smb-enum-users -iL IPList.txt -osmb-enum-users.txt |
To scan all hosts listed in IPList.txt for SMB users |
||
| Masked output of smb-enum-usrs.txt | |||
| Nmap scan report for 192.168.1.109 Host is up (0.00015s latency). Not shown: 989 closed ports
MAC Address: 00:XX:XX:XX:XX:04 (G-pro Computer) Host script results:
|
|
||
The power of NMap script scans doesn’t end here. By using various scanning options, you can run combinations of various script categories (SMB scans, HTTP scans, etc) at one go.
